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Summary 

Ke  introduce  a  modal  logic  which  can  be  used  to  formally  reason  about 
synchronous  fixed  connection  multiprocess  networks  such  as  of  VLSI.  Our  logic 
has  both  temporal  and  spatial  modal  operators.  The  various  temporal  modal 
operators  allow  us  to  relate  properties  of  the  current  state  of  a  given 
process  with  properties  of  succeeding  states  of  the  given  process.  Also,  the 
spatial  modal  operators  allow  us  to  relate  properties  of  the  current  state  of 
a  given  process  with  properties  of  the  current  state  of  neighboring  processes. 
Many  interesting  properties  for  multiprocessor  networks  can  be  elegantly 
expressed  in  our  logic.  We  give  examples  of  the  diverse  applications  of  our 
logic  to  packet  routing  firing  squad  problems,  and  systolic  algorithms. 

We  show  that  deciding  validity  of  a  formula  in  our  logic  is  not  decidable. 
However,  we  show  that  deciding  validity  of  a  proportional  formula  in  our  logic 
with  respect  to  a  given  finite  network  is  PSP ACE- complete.  We  also  investigate 
the  decidability  issues  of  different  versions  of  this  logic. 
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1.  Introduction .  One  of  the  fundamental  models  of  parallel  computation  is  a 
collection  of  synchronous  processors  with  fixed  inter-connections.  For  example, 
the  iterative  linearly  connected,  mesh  connected,  and  multidimensional  arrays 
of  [Ko69]  and  [Co69] ,  the  shuffle  exchange  networks  of  [St71]  and  ultracom^uter 
of  [Sc80] ,  and  the  cube  connected  cycles  networks  of  [PV79]. 

Parallel  algorithms  for  such  networks  are  difficult  to  formerly  describe 
and  prove  correct.  For  example,  the  systolic  algorithms  of  [KL80]  are  not 
formally  proved  correct  in  this  paper;  instead  they  present  informal  "picture 
proofs.” 

An  informal  description  of  a  program  or  algorithm  for  a  fixed  connection  net¬ 
work  would  likely  make  reference  to  the  spatial  relationships  between  neighboring 
processes  and  properties  holding  for  all  processes,  as  well  as  the  transformations 
over  time.  Indeed,  natural -English  allows  expression  of  spatial  medal  operators 
such  as  "everywhere”,  "somewhere",  "across  such  and  such  connection",  as  well  as 
temporal  modal  operators  such  as  "until",  "eventually",  "hereafter",  and  "next¬ 
time".  However,  natural  English  cannot  suffice  for  formal  semantics.  This  paper 
proposes  a  formal  logic  allowing  use  of  these  modal  operators  in  the  context  of  a 
fixed  connection  network.  Section  2  defines  our  logic* s  syntax  and  semantics. 

Previous  program  logics  contained  only  temporal  modal  operations  [Pn77] , 

[MP81]  or  modal  operations  for  the  effect  of  program  statements  [FL79J .  Temporal 
logic  has  been  used  to  reason  about  parallel  programs;  however  it  is  impractical 
to  use  this  logic  to  reason  about  large  number  of  processes  operating  synchronously 
and  communicating  through  fixed  connections.  Our  use  of  spatial  as  well  as 
temporal  modal  operators  is  a  new  idea.  (Note:  our  spatial  modal  operators 
differ  in  an  essential  way  from  the  model  operators  of  dynamic  logic;  see 
Section  2.3).  This  combination  of  temporal  and  spatial  modal  operators  allow  us 
to  formally  reason  about  computations  on  networks  with  complex  connections. 
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The  contribution  of  this  paper  is  more  than  simply  the  definition  of  our  net¬ 
work;  we  also  describe  applications  and  investigate  its  computational 
complexity  of  its  decision  problems. 

Section  3  describes  some  interesting  applications  of  our  logic  to  routing 
on  the  shuffle  exchange  network ,  to  the  firing  squad  problem  on  a  linear  array, 
and  to  stystolic  computations  on  arrays.  We  felt  these  examples  to  multiprocess 
networks  illustrate  the  general  applicability. 

Section  4  investigates  the  problem  of  fasting  validity  of  formulae  of  our 
logic.  We  show  the  set  of  valid  formulas  are  Il^-complete.  However,  in  practice 
we  are  generally  only  interested  in  deciding  validity  of  a  proportional  formula 
with  respect  to  a  given  finite  network.  We  show  this  problem  is  PSPACE- complete. 
Also,  we  show  in  the  full  paper  that  it  is  decidable  to  test  validity  of 
proportional  formulae  with  restricted  modal! Lies  (for  example  formulae  with  all 
temporal  operators,  but  only  the  "somewhere"  spatial  operator,  and  also  formulae 
with  all  spatial  operators,  but  only  the  "eventually"  temporal  operator). 

We  conclude  in  Section  5  with  a  summary  of  our  results. 

2.  Definition  of  Our  Logic.  We  begin  by  describing  our  logic  for  linear  time. 
The  end  of  this  section  briefly  sketches  how  this  logic  can  be  extended  to  first 
order  formulae,  and  to  branching  time. 

2.1.  Networks .  Let  L  be  a  countable  set  of  symbols,  which  we  call  links. 

A  network  G  *  (P,E)  contains  a  countable  set  of  processes  P  and  a  partial 
mapping  E:  L  x  P  -*  P.  For  each  process  p  €  P  and  label  l  €  L,  E(i,p)  is 
(if  defined)  the  process  connected  to  p  by  link  1.  For  example,  a  square 
grid  network  might  have  links  up,  down,  left ,  and  right.  The  links  are  different 
from  atomic  programs  of  PDL  due  to  the  restrictions  given  in  the  next  page. 


2'2,  sYntax  of.  the  Lo<?ic.  We  distinguish  as  temporal  modal  operators  the  symbols 
eventually,  hereafter ,  until,  and  nexttime.  The  spatial  modal  operators  are 
somewhere,  everywhere,  and  any  symbol  in  the  set  of  links  L.  which  we  assume 
contains  none  of  the  previously  mentioned  modal  operators. 

Let  *0  be  811  infinite  set  of  atomic  formulae.  Let  the  set  of  formulae 
*  be  the  minimal  set  of  strings  containing  &Q  and  such  that  if  f  ,  f 2 €  4T  then 

f!  A  f2  €  9 
ifx  €  9 

eventually  f^  €  3F 
hereafter  f^  €  & 
f^  until  f2  e  9 
nexttime  f^  6  & 

somewhere  f^£&  ~ 

everywhere  £  & 
l  f^  €  SF  for  each  link  Z  £  L 

2.3.  Semantics  of  Our  Logic.  Let  a  model  *4(  be  a  5-tuple  (S,  V ,  A,  G,  it)  where: 

(i)  S  is  the  set  of  states, 

(ii)  S  -►  2*°, 

(iii)  A:  (L  U  { nexttime }  )  x  S  -*  S,  is  a  partial  function 

(iv)  G  *  (P,E)  is  a  network,  and 

(v)  it:  S  -*  P. 

Thus  for  each  state  s  €  S,  ¥(s)  is  the  set  of  atomic  formulas  which  hold 
at  s,  and  ir(s)  is  the  process  associated  with  state  s.  Also,  A  (nexttime,  s) 
is  the  state  occurring  in  the  time  instance  just  after  state  s,  and  A(£,s)  is  the 
current  state  of  the  process  connected  to  process  rr(s)  by  link  l. 

We  extend  A  as  a  partial  mapping  to  the  domain  (L  U  {nexttime})*  x  S  so  that 
for  all  s  €  S  A(e,s)  ■  s,  and  A(£,  # £„,  s)  is  defined  iff  A(£, ,s)  and 


A(lj»  A(£^,s))  are  defined  and  in  this  case  A(£^°£2,s)  *  A(£2»  A(£^,s)). 

Similarly  we  also  extend  E  as  a  partial  mapping  to  the  domain  L*  x  P. 

A  model  is  proper  iff 

Rls  For  each  link  £  €  L  and  each  state  s  €  S,  A(£  *  nexttime, s)  =  A {nexttime  »  £,  s) 
(thus  nexttime  commutes  with  respect  to  each  link;  this  presumes  the  processes 
are  synchronous) . 

R2 :  For  each  state  s  £  S,  A{nexttime  ,s)  is  defined  and  ir(s)  =  ir(A  {nexttime,  s)) 
(thus  the  name  of  each  process  is  invariant  over  time) . 

R3;  For  each  state  s  £  S  and  link  £  £  L,  E(£,  ir(s))  is  defined  iff 
A(£,  s)  is  defined  and  in  this  case,  E(£,  ir(s))  =  ir(A(£,  s)) 

(thus  processes  associated  with  states  are  connected  by  the  same  links  as 
in  the  network  G) 

R4 :  For  any  a  ,a  •  €  jf  and  states  s,s'  €  S  if  E(a,ir(s)),  E(a',ir(s'))  are 

defined  and  E(<s,w(s))  =  E(a'fir(s')^  then  A(a,s)  =  A(a',s'). 

(thus  the  relationship  between  the  states  of  two  processes  is  independent  of 
the  particular  paths  of  links  over  which  they  are  connected.) 

R5:  If  ir(s^)  =  ir(s2)  then  for  some  i  £  0  A  {nexttime1 ,  Sj)  =  s2  or 
A {nexttime^ ,  s 2)  =  s . 

Hereafter,  we  consider  only  proper  models. 

Let  us  fix  the  model  tA (.  We  define  truth  of  a  formulae  at  a  given  state 
s  €  S  by  structural  induction. 

For  each  atomic  formula  F  £  &Q,  s  h  F  iff  F  £  M'(s).  For  any  formulas 

tv  f2  € 

8  K  f,  a  f  iff  i  h  f,  and  s  h  f_ 
s  K  ifj  iff  s  V  f1 

8  ^  nexttime  f^  iff  A  {nexttime,  s)  h  f 
s  h  eventually  ^  iff  3k  £  0  A{nexttime*,  s)  N  ^ 

s  V  hereafter  f,  iff  Vk  0,  A  {next  time* ,  s)  h  f. 


8  Mj  until  f2  iff  3k  £  0  Mnexttime ,  s)  N=  f2  and 
Vi,  0  £  i  <  k,  Unexttime i,  s)  k  f1 
s  h  tfj  iff  A(£,s)  is  defined  and  A(£,s)  h  f ^ 

s  ¥  somewhere  f^  iff  3a  €  L*,  such  that  A(a,s)  is  defined  and  A(a,s)  H  f^ 
s  N  everywhere  f^  iff  Va  €  L*  (A(a,s)  is  defined  ^  A(a,s)  1=  f^) 

We  let  denote  truth  with  respect  to  a  given  model 


2.4.  Decision  Problems.  Formula  f  €  &  is  satisfiable  (valid)  if  s  h^^f 
for  some  (all,  respectively)  model  J((  and  state  s.  Given  a  network  G, 
formula  f  €  &  is  G-satisfiable  ( G-valid )  if  s  (=  for  some  (all, respectively) 

models  and  state  s  with  given  network  G. 


2.5.  Extensions  to  a  First  Order  Logic.  The  first  order  version  of  this  logic 
consists  of  the  additional  symbols  like  local  variables,  global  variables,  constant 

symbols,  function  and  relation  sysbols,  and  the  universal  quantifier  v.  A  term 
is  defined  as  in  the  case  of  first  order  predicate  calculus.  An  atomic  formula 

is  an  atomic  proposition  or  of  the  form  R  t^t2-..t^  where  R  is  k-any  relation 
symbol  (R  can  be  equality  in  which  case  k  -  2) .  The  additional  requirement 
for  the  set  of  formulae  is  that  if  f  is  a  formula  and  x  is  a  global  variable 
so  is  Vx(f).  A  model  is  a  5-tuple  (E,  S,  A,  G,  ir)  where  I  ■=  (D,  a, 8)  in 
which  D  is  a  countable  domain  in  which  the  variables  take  values,  a  interprets 
relation  and  function  symbols ,8  is  a  mapping  associating  with  each  global  variable 
and  constant  symbol  a  value  from  the  domain;  S  is  the  set  of  states  where  each 
state  is  a  mapping  that  associates  a  truth  value  with  each  atomic  proposition  and 
a  value  from  D  with  each  local  variable;  A,  G,  ir  are  the  same  as  in  the 
propositional  case.  A  proper  model  should  satisfy  the  same  conditions  as  for 
propositional  case,  modified  in  a  natural  way.  We  consider  only  proper  models. 

Truth  of  an  atomic  formula  in  a  state  of  a  model  is  defined  as  in  the  case  of 


first  order  predicate  calculus;  and  truth  of  a  formula  in  a  state  of  a  model  is 
defined  in  'actively  as  in  the  propositional  version  with  the  following  addition; 
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c  c 

Vx  f  iff  for  each  c  €  D  ,s  ^  f  where  is  exactly  same  as 

except  that  the  global  variable  x  is  given  the  value  c  in  *A(C .  Satisfiablity 
and  validity  of  formulae  ar*  defined  as  usual. 

2.6  Extensions  to  a  Branching  Time  Logic.  We  can  easily  extend  our  logic  to  a 
branching  time  logic,  as  in  IBMP81]. 


E  (exchange,  (a  -,a  ,art))  =  U  0,...,aA) 

*  n-x  n— 2  u  n-x  n—z  u 

Elshuffle ,  (a  ,  ,a  , ...,a  ))  =  (a  ,a  a.) 

n-1  n-2  0  u  n-x  x 

for  all  a  C  (0,l). 

n-1  n-2  o 

Intuitively,  the  exchange  edge  connects  processes  p^  and  p2  if  all  the  bits  of 
p^  and  p^  are  the  same  excepting  the  least  significant  bits  which  are  distinct. 

Ihe  shuffle  edge  connects  two  processes  p^  and  p2»  if  P2  is  obtained  by  one 
cyclic  shift  of  bits  in  p^. 

The  routing  problem  in  this  network  is  to  route  a  packet  present  at  some  process 
to  a  given  destination  traversing  only  along  the  shuffle  and  exchange  edges. 

We  capture  the  name  of  a  process  by  the  atomic  propositions  An_i'An_2' * ' ' ,Ao* 
Ihe  formula  fQ  asserts  that  the  name  of  a  process  is  invariant  over  time; 

A  ( hereafter  v  hereafter 

0  £  i  <n 

f.#  f  assert  that  exchange  and  shuffle  edges  are  properly  connected. 

12 
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f  =  /\  exchange  AJ  a  aq  —  exchange  tAq 

1  <i  <n 

f2  =  /\  (A ^ shuffle  A(i_1}  mod  n) 

0  <  i  <  n 

The  presence  of  the  packet  at  any  process  will  be  indicated  by  the  atomic 

proposition  X,  and  the  destination  by  2'*#‘/D0"  We  assxme  ^at  the 

of  the  destination  travels  with  the  message. 

g  =  xaA  (a.  => everywhere  (x=>A.))  a  (-,a.  3 everywhere  (xd1a.)) 

0  (Xi<n  1  X  1  1 

♦ 

asserts  that  X  is  true  at  at  most  one  place. 

g  =x  aA  (  D.  thereafter  everywhere  (x=D.))  a 
CXi<n  1  1 

(  -tDi  thereafter  everywhere  (x^-iDj) 

asserts  that  the  name  of  the  destination  process  travels  with  the  packet. 

=  xtnexttime  (X  v  ( shuffle  X)  v  exchange  x) 
asserts  that  the  packet  travels  along  shuffle  or  exchange  edges  only. 

The  main  correctness  property  is  g^  which  asserts  that  the  packet  reaches 
its  destination  eventually. 

g,  =  XA  A  (A.  «-*D. ) 

3  (Xi<n-1  1  1 

Let  r  be  a  formula  which  describes  the  actual  routing  algorithm.  Then 

( hereafter  everywhere  (r  a  fQ  A  f ^  a  f 2  a  gQ  a  g^) )  z> eventually  somewhere  g3 

is  a  valid  formula  iff  the  algorithm  correctly  routes  packets. 

Next  we  describe  a  specific  routing  algorithm  for  the  shuffle  exchange  network 
and  derive  the  corresponding  formula  r  for  its  semantics.  The  packet  will  be 
routed  in  n  stages,  where  for  i*0,...,n-l,  if  at  the  start  of  the  i-th  stage 
the  packet  is  located  at  a  process  whose  lowest  order  address  bit  is  not  the 
value  of  D^,  then  the  product  traverses  an  exchange  link.  In  either  case,  the 
product  next  traverses  a  shuffle  link  and  reaches  the  i+1  stage. 


To  define  a  formula  r  for  this  routing  algorithm,  it  is  useful  to  introduce 
proportional  variables  Sg,...^^  and  require  that  only  unique  be  true  at 

any  processes,  and  that  the  S  be  invariant  or  traversing  an  exchange  link  but 
that  s (i+Dmod  n  ***  true  on  traversin9  a  shuffle  link.  Thus  we  let 

r_  =  V  (s .  a  (  A  -|S . )  a  ( nexttime  exchange  s . )  a 
0^i<n  1  0^j<n  ^  1 

i?j  ( nextime  shuffle  s..  _  )) 

(i+l)mod  n 

The  formula  for  semantics  of  this  routing  algorithm  is  therefore: 

r  =  rn  a  (x  =>  V  (S.  a  ( (A  •*-*■  D . )  o nexttime  exchange (x) ) 

1  0  CXi<n 

a  (  (Aq  ++  nP^)  =>  nexttime  shuffle  (x) ) )  . 

3.2  The  Firing  Squad  Problem  for  a  Linear  Array.  We  briefly  describe  the  problem 
and  show  how  its  correctness  can  be  specified  by  our  logic.  A  solution  to  the 
firing  squad  problem  consists  of  a  linear  array  of  deterministic  finite  state 
processes  as  shown  in  figure  1.  The  next  move  of  each  process  is  a  function  or  its 
present  state  and  the  states  of  its  neighbors.  All  the  privates  are  identical 
processes.  The  problem  is  to  obtain  the  program  for  the  lieutenant,  the  sergeant 
and  the  privates  so  that  when  even  the  lieutenant  is  in  a  designated  initial  state, 
then  eventually  all  the  processes  simultaneously  enter  a  special  state  called 
the  firing  state,  and  non  of  them  enters  this  state  before  this  time.  The  solution 
should  work  for  linear  arrays  of  all  sizes. 


right  right  right  right 


left  left  left  left 


Figure  1 

We  assume  that  all  processes  have  states  sets  Q  =  {0,1,2, ...  ,m},  and 
the  state  0  is  the  initial  state  of  each  process.  State  1  is  the  specific 
state  into  which  the  lieutenant  enters  to  start  the  operation,  state  m  is  the 
firing  state.  All  the  privates  are  identical.  We  use  atomic  propositions 
P(),  to  *nc*icate  the  st^te  of  an  process  (P^  is  true  at  a  place  iff 

the  corresponding  process  is  in  a  state  i  at  that  instance)  .  Now  we  assert  the 


the  operation  of  the  system  as  follcws. 


(i) 


(ii) 


Note  that  iZe/£(true)  is  true  only  on  the  lieutenant,  the  left  most 
processor, 

(iii)  Similarly  let  f^,  be  the  formulae  that  define  the  moves  or  all  privates 
and  the  sergeant  respectively.  The  positions  of  privates  is  identified  by 
the  truth  of  the  formula 

lie  ft  (true)  a  right  ( true) ) . 

Note  that  the  position  of  the  sergeant  is  identified  by  the  formula 
^right  (True)  . 

(iv)  Let  gQ  be  the  formula  that  asserts  that  if  any  process  (other  than  the 
lieutenant)  and  all  its  neighbors  are  in  state  0  then  it  remains  in  state 
0  in  the  next  step.  It  is  easily  seen  that  this  can  also  be  asserted. 

Now  we  assert  that  if  all  the  above  conditions  are  met  and  at  any  time  the 
lieutenant  enters  the  state  1  then  all  process  will  eventually  enter  the  firing 
state  simultaneously  at  some  future  instance,  and  none  of  them  will  be  in  the 
firing  state  before  that  instance.  Ihis  is  captured  by  the  formula  g. 

g  -  (I  a  fQ  A  f1  A  gQ)  s  hereafter  [  somewhere  h  left  (true)  a  p^)  s 

Hi  somewhere  P  )  until  ( everywhere  P  ))] 
m  m 


•j1  'asserts  that  each  process  is  in  at  most  one  state  at  any  instant  of 
time. 

I  =  everywhere  hereafter  [  As  (P±  =>  tP^)  ] 

0£i,j 
i  /  j 

f  asserts  that  the  moves  of  lieutenant  is  according  to  its  next  move 
0 

2 

partial  function  6^:  Q  -*  Q. 

fQ  =  everywhere^  lefUtxue)  =  (  (Pq  v  a 

hereafter  A  ((P.  a  right  P.)  z>  nexttime  p  . .))] 
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g  is  valid  on  all  models  with  linear  arrays  as  networks  iff  the  given 
solution  to  the  firing  squad  problem  is  correct.  A  similar  construction  can  be 
given  for  the  firing  squad  problem  over  any  given  network. 

3.3  Systolic  Arithmetic  Computations.  The  systolic  algorithms  of  [KL80]  are  not 
formally  proved  correct  in  their  paper;  instead  they  present  informal  "picture 
proofs".  Our  logic  is  thus  particularly  useful  here  when  extended  to  first  order 
formulae  (as  described  in  Section  2.5). 

We  consider  an  interesting  example  of  a  network  for  matrix-vector  multiplica¬ 
tion  due  to  [KL80] .  The  matrix  is  an  infinite  band  matrix  of  bandwidth  (n+1) . 
The  network  architecture  is  shown  in  figure  2. 


Figure  2 

The  main  processors  are  P  ,  P P  .  The  processors  P'  p*  ..,  P' 

v  x  n  0  1  n 

are  the  input  processors,  each  of  them  contains  a  variable  Z.  The  values  of  Z 
in  Pj  change  with  time  and  they  represent  the  values  of  the  ith  diagonal  of 
the  matrix.  Each  processor  P^  has  two  variables  X,  Y.  The  values  of  the 
variable  X  in  PQ  over  time  represent  the  input  vector.  The  values  of  X 
move  right  with  each  time  instance. 

Thus 

(true)  =>Vot  ( left (x  *  a)  -*-*■  nexttime (X  «  a) ) 

asserts  that  the  value  of  X  at  the  nexttime  instance  in  a  process  P^ (i >  0) , 
is  the  present  value  of  X  in  the  process  left  to  P. . 


At  each  step  (i <  n)  computes  its  value  of  Y  to  be  the  sum  of  the 
previous  value  of  Y  in  process  ?i+1#  plus  the  product  of  X  in  PA  times  Z 
in  P£.  This  is  captured  by 

92  *  Tight  (true)  3  VctVg  (right  (Y  =  a)  a  nexttime  input  (Z  =  8) 

z»nexttime  (Y  =  a  +  x»  8) ) 

At  each  step  Pn  computes  its  value  of  Y  to  be  the  product  of  the  value  of 
X  in  P^  and  the  value  of  Z  in  P^.  This  can  also  be  easily  asserted  by  formula 

g3  =  rights  false)  a  input  (true)  =>VaVg(x  =  a  a  input  (z  =  6) )  ^nexttime  (Y  =  a*  2) )  . 

(note  that  right (false)  a  input {true)  holds  only  for  process  P  ) 

n 

The  correctness  property  at  P^  can  thus  be  expressed  in  our  logic  as 

hereafter  everywhere  (g 1 a g2  a  g^)  thereafter  h 

where 

h  *  left  {false)  a  input  (true)  z> 

n  .  n 

iQ. .  *anV6Q. .  .Bn  (A  nexttim<>x  (x  =  ol)  a  nexttime11  1  (z  =  8. ) )  z>nexttime2n  (Y  =  7  a.  •  3 

11  n  i=0  1  i=0  x 

4.  Decidability  and  Complexity  Issues,  In  this  section  we  consider  issues 
of  decidability  and  conplexity  of  different  versions  of  our  logic.  Recall  that  a 
formula  is  said  to  be  satisfiable  iff  there  exists  a  model  and  a  state  at  which 
the  formula  is  true.  A  formula  is  said  to  be  valid  if  it  is  true  in-  all  states  of 
all  models.  We  say  that  a  formula  is  satisfiable  (valid)  on  finite  networks  if 
the  formula  is  true  in  a  (all)  model  with  finite  networks. 

THEOREM  1.  The  set  of  satisfiable  formulae  of  multiprocessor  network  logic 
is  Incomplete  and  the  set  of  valid  formulae  is 

Proof  sketch:  First  we  show  that  the  set  of  satisfiable  formulae  is  a 
E^-complete  set.  From  this  result  it  can  easily  be  shown  that  the  set  of  valid 
formulae  is  11*- complete. 
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We  consider  a  deterministic  Turing  machine  M  on  infinite  strings.  M  has 
one  read  only  infinite  input  tape,  and  an  infinite  work  tape.  An  infinite  string 
is  input  to  M  on  its  input  tape.  M  never  halts.  M  is  said  to  accept  an  input 
if  during  its  computation  it  goes  into  any  of  a  set  of  final  states  infinitely 
often.  The  set  of  encodings  of  all  Turing  machines  that  accept  at  least  one  input, 
is  shown  to  be  ^-complete  in  [SCFG82].  We  reduce  this  set  to  the  set  of  satis- 

fiable  formulae.  An  ID  of  M  is  the  part  of  input  is  seen  thus  far,  the  contents 

of  the  work  tape,  the  position  of  the  head  on  the  work  tape.  We  define  a  sequence 
of  IDs  of  M  during  its  computation  on  an  input  and  express  this  sequence  using 

a  formula  in  the  logic.  We  also  assert  that  in  this  sequence  final  IDs  (IDs  having 

a  final  state)  appear  infinitely  often.  Thus  given  an  encoding  of  a  Turing  machine 
we  obtain  a  formula  that  is  satisfiable  iff  the  Turing  machine  accepts  at  least 

one  input.  The  details  will  be  given  in  the  full  paper.  o 

Let  (S,  f,  A,  G,  ir)  be  a  model  where  G  =  (P,E)  is  a  finite  network. 

Let  P  -*•  S.  4>  is  said  to  be  consistent  with  if  tt(<Mp))  =  P  for  all 
p  C  P,  and  for  all  Pj  if  p^  *  E(fc,  p^)  for  some  i  €  L,  then 

$(Pj)  =  A(£,  $(pi)).  Let  =  (♦  I  ♦  is  consistent  with  *A(  },  and  let 
next:  be  such  that  for  all  ♦  €  $  and  for  all  p  next(Q) (p)  * 

A  {nexttime,  $(p)).  *At  is  said  to  be  ultimately  periodic  with  starting  index  l 
and  period  m,  if  for  all  $  €  $  next^  {$)  =  next^+m($)  for  all  i  £  i.  For 
any  formula  f,  let  SF(f)  be  the  set  of  subformulae  of  f,  and  for  any  4>  €  $  ,  let 
U]:  P -*  2SF ^  such  that  [$]  (p)  »  {g  |  g  6  SF(f)  and  $(p)  N  g}.  We  require 
a  technical  lemma  characterizing  satisfiability. 

LEMMA  1.  f  ie  satisfaible  in  a  model  over  a  finite  network  iff  f  is 
satisfiable  over  an  ultimately  periodic  model  over  a  finite  network.  o 
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THEOREM  2.  The  set  of  formulae  that  are  satis f table  in  a  model  over  a  finite 
network  is  Z^-complete*  and  the  set  of  valid  formulae  in  models  over  finite  net - 
works  is  iQ-comp lete . 

Proof:  As  in  the  previous  theorem,  we  can  reduce  the  halting  problem  of 
Turing  machines  over  finite  strings  to  the  set  of  satisfiable  formulae  in  a  model 
over  a  finite  network.  We  give  a  Turing  machine  M  which  accepts  the  above  set. 

M  guesses  a  finite  network  and  an  ultimately  periodic  model  over  this  network. 

It  next  verifies  that  f  is  satisfiable  in  this  model.  M  halts  only  on  the  input 
formulae  that  are  satisfiable  in  a  model  over  a  finite  network.  □ 

THEOREM  3.  The  following  problem  is  PSVKCE-Qomplete .  Given  a  finite  network 
Gj  and  a  formula  f,  is  f  satisfiable  in  a  model  over  the  network  G? 

Proof:  The  PSPACE-hardness  of  the  problem  follows  from  the  PSPACE-hardness  of 
satisf iablility  for  linear  time  temporal  logic  [SC82].  We  give  a  polynomial 
space  bounded  Turing  machine  M  that  checks  if  f  is  satisfiable  in  a  model 
over  the  network  G.  M  guesses  [<fr],  and  verifies  for  consistency  and  that 
f  €  [$] (p)  for  some  p  €  P.  At  each  subsequent  instance  M  guesses  [next($)] 
and  checks  that  it  is  consistent  with  [$]  •  It  continues  this  each  time  keeping 
[$]  and  {next}  (<J>)  .  At  a  certain  instance  it  guesses  the  beginning  of  the  period 
and  saves  the  corresponding  [$].  It  continues  the  previous  process,  each  time 
guessing  either  Ineart(^)]  or  guessing  that  it  is  the  end  of  the  periodic  part. 

In  the  latter  case  it  takes  [nex t($)]  to  be  the  saved  value  at  the  beginning  of  the 
period.  Each  time  M  guesses  [next($)]  it  verifies  that  [$1  is  consistent 
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with  l neart{<fr)].  M  also  verifies  that  certain  formulae  are  fulfilled  in  the 
periodic  part.  M  clearly  uses  space  polynomial  in  the  size  of  G  and  the  size 
of  f.  Further,  we  can  show:  a 

THEOREM  4.  The  set  of  valid  formulae  of  firs t  order  multiprocessor  network 
logic  over  models  on  finite  networks  is  n ^-complete.  a 


5.  Conclusions.  We  have  proposed  a  logic  to  reason  about  computations  of  multi¬ 
processor  networks.  We  feel  that  our  logic  will  be  useful  to  specify  the  semantics 
and  prove  correctness  of  multiprocess  networks .  No  such  formal  system  for  multi¬ 
processor  networks  had  been  proposed  previously.  We  have  examined  the  application 
of  our  logic  to  some  diverse  multiprocess  network  problems,  anu  presented  some 
results  in  decidability  and  complexity  of  our  logic. 
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